'''[https://www.gnu.org/software/grub/grub.html GRUB2]''' is a modular, multiboot-capable bootloader for many operating systems that can be used as a payload for coreboot.

+

'''[https://www.gnu.org/software/grub/grub.html GRUB 2]''' is a modular, multiboot-capable bootloader for many operating systems that can be used as a payload for coreboot.

−

+

== Status ==

== Status ==

+

GRUB 2 can be launched:

+

* Directly by coreboot as a payload

+

* Directly by SeaBIOS as a payload

+

* By SeaBIOS, on disk, as it would with a normal BIOS.

−

* The mainline version of GRUB2 has a [http://grub.enbug.org/CoreBoot wiki page on the coreboot port] (Update: no longer available)

+

Recent bzr versions have improved memory management that removes the memory limitations when ran as a payload.

−

* Additional information about our former GRUB2 effort (which was part of Google Summer of Code 2007) can be found in the history of this page. Don't expect any link there to work.

+

−

* As an alternative, you could consider using [[FILO]]. Both FILO and GRUB2 have various advantages and disadvantages. Which of the two is better suited depends on your requirements.

+

−

* Yet another alternative is to not put GRUB into the BIOS ROM, but have it run from your disk as you would with a vendor BIOS. For that, you can use [[SeaBIOS]] as payload, which will then be able to run either GRUB1 or GRUB2 from your disk.

+

+

== features ==

+

=== Security ===

+

==== signed kernels ====

+

GRUB is capable of running only trusted(signed) kernels.

+

* it supports only DSA gpg keys

−

== Compiling GRUB2 for being use as a payload ==

+

Here's a little howto.

−

See [[Talk:GRUB2]] and [https://lists.gnu.org/archive/html/grub-devel/2011-06/msg00003.html here] for more details.

+

+

First generate a key:

+

$ gpg --gen-key

+

gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc.

+

This is free software: you are free to change and redistribute it.

+

There is NO WARRANTY, to the extent permitted by law.

+

+

Please select what kind of key you want:

+

(1) RSA and RSA (default)

+

(2) DSA and Elgamal

+

(3) DSA (sign only)

+

(4) RSA (sign only)

+

Your selection? 3

+

DSA keys may be between 1024 and 3072 bits long.

+

What keysize do you want? (2048) 3072

+

Requested keysize is 3072 bits

+

Please specify how long the key should be valid.

+

0 = key does not expire

+

<n> = key expires in n days

+

<n>w = key expires in n weeks

+

<n>m = key expires in n months

+

<n>y = key expires in n years

+

Key is valid for? (0)

+

Key does not expire at all

+

Is this correct? (y/N) y

+

+

GnuPG needs to construct a user ID to identify your key.

+

+

Real name: Denis 'GNUtoo' Carikli

+

Email address: GNUtoo@no-log.org

+

Comment: Kernel signing key

+

You selected this USER-ID:

+

"Denis 'GNUtoo' Carikli (Kernel signing key) <GNUtoo@no-log.org>"

+

+

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

+

You need a Passphrase to protect your secret key.

+

+

We need to generate a lot of random bytes. It is a good idea to perform

+

some other action (type on the keyboard, move the mouse, utilize the

+

disks) during the prime generation; this gives the random number

+

generator a better chance to gain enough entropy.

+

gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest

+

size

+

gpg: key C86D4C64 marked as ultimately trusted

+

public and secret key created and signed.

+

+

gpg: checking the trustdb

+

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

+

gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u

+

pub 3072D/C86D4C64 2013-03-13

+

Key fingerprint = 7244 AC33 F9A7 9AE8 30DE 8996 9097 B48D C86D 4C64

+

uid Denis 'GNUtoo' Carikli (Kernel signing key)

+

<GNUtoo@no-log.org>

+

+

Note that this key cannot be used for encryption. You may want to use

+

the command "--edit-key" to generate a subkey for this purpose.

+

Then sign the kernels and initramfs:

+

cd /boot

+

sudo -E gpg --detach-sign vmlinuz-linux-libre-pae

+

sudo -E gpg --detach-sign initramfs-linux-libre-pae.img

+

+

gpg --export > boot.key

+

Then you can put the key on the memdisk (advised) or the boot partition for test purposes only.

+

Then in GRUB do (for testing purposes):

+

trust boot.key

+

set check_signatures=enforce

+

to only boot correctly signed kernels and initramfs...

+

+

Then load kernel and initramfs as usual...

+

+

==== Trisquel, Ubuntu, Debian ====

+

We want automatics hooks to sign our kernel so we don't have to do it manually each time...

+

The following howto was tested on trisquel 6

+

Generate the key as root(sudo su) like we just explained, but without a password

+

In debian based distributions you can hook the kernel build to sign the result:

+

Add the following to /etc/kernel/postinst.d/yy-update-signatures

+

#! /bin/sh

+

set -e

+

+

version="$1"

+

+

gpg --detach-sign /boot/vmlinuz-${version}

+

gpg --detach-sign /boot/initrd.img-${version}

+

Then do:

+

chmod +x /etc/kernel/postinst.d/yy-update-signatures

+

Then do:

+

gpg --export > /boot/boot.key

+

+

Then modify /etc/grub.d/10_linux to use bash instead of sh like that:

+

#! /bin/bash

+

And also modify to that:

+

<pre>

+

case x`uname -m` in

+

xi?86 | xx86_64)

+

list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do

+

if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi

+

done` ;;

+

*)

+

list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do

+

if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi

+

done` ;;

+

esac

+

</pre>

+

To look like that:

+

<pre>

+

case x`uname -m` in

+

xi?86 | xx86_64)

+

list=`for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do

+

if [[ "$i" != /boot/*.sig ]] ; then

+

if grub_file_is_not_garbage "$i" ; then echo -n "$i " ; fi

+

fi

+

done` ;;

+

*)

+

list=`for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do

Then you can put the key on the memdisk (advised) or the boot partition for test purposes only.
Then in GRUB do (for testing purposes):

trust boot.key
set check_signatures=enforce

to only boot correctly signed kernels and initramfs...

Then load kernel and initramfs as usual...

Trisquel, Ubuntu, Debian

We want automatics hooks to sign our kernel so we don't have to do it manually each time...
The following howto was tested on trisquel 6
Generate the key as root(sudo su) like we just explained, but without a password
In debian based distributions you can hook the kernel build to sign the result:
Add the following to /etc/kernel/postinst.d/yy-update-signatures